Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

UConn Finds Rootkit in Hacked Server

The malicious program has been hiding on a server for almost two years, potentially giving hackers access to personal data, the University of Connecticut discovers.

The University of Connecticut has detected a rootkit on one of its servers, almost two years after the stealth program was placed there by malicious hackers.

The rootkit was found on a server that contains names, social security numbers, dates of birth, phone numbers and addresses for most of the universitys 72,000 students, staff and faculty, university officials confirmed Monday.

"Although there is no evidence indicating that this personal data was accessed or extracted, [we are] contacting everyone whose identity may have been put at risk," UConn said in a notice posted online.

The rootkit was first placed on the server during a system compromise on October 26, 2003, but was only detected one week ago, on June 20.

UConn said the attack took advantage of an insecure service for which no vendor patch was available, but stressed that an analysis of the computer showed that that the original compromise was incomplete.

Part of the original October attack involved the installation of a "back door" to allow the hacker to remotely control the hijacked server, but the installation failed, the school said.

"The nature of the compromise indicates that the server was breached during a broad attack on the Internet, and was not the target of a directed attack. Therefore, the attacker most likely had no knowledge of the kind of data on the server," it added.

UConn is the first high-profile institution to publicly acknowledge the presence of a rootkit on a compromised server, but security researchers believe the threat is widespread and underreported.

Mark Russinovich, chief software architect at Winternals Software LP, said the UConn discovery was not at all surprising. "My guess is that there have been other discoveries in other places but we just havent heard about this. When someone does disclose the fact they found some malware on a server, I dont always expect them to be fully upfront about what it is," Russinovich said in an interview with Ziff Davis Internet News.

"We already know that some pieces of spyware are already using rootkit techniques in a primitive format. This is going to be the wave of the future, where spyware programs are trying to try to look more and more like legitimate pieces of the operating system," he added.

"I think, eventually, anti-spyware, anti-virus and rootkit detection will become the same thing. Thats the only way to realistically deal with it," Russinovich said.

Sam Curry, vice president of eTrust security management at Computer Associates International Inc., said UConn officials should be applauded for coming clean about the discovery.

"Im not at all surprised by this discovery. We knew this was possible," Curry said. "Its refreshing to see the way UConn handled this."

"It was a very responsible thing to come out and say what they found and share the information with the community. It is very important to see what these big institutions are dealing with," he added.

Sysinternals is not the only software vendor flagging rootkits as a growing threat. F-Secure Inc. is currently testing a tool called BlackLight and plans to integrate the tools rootkit-detection capabilities into its anti-virus, firewall, intrusion-detection and anti-spyware products.

Researchers at Microsoft have released Strider GhostBuster Rootkit Detection, a prototype tool capable of finding registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.